Author
Topic: Backdoor for Secret Agencies (Read 71028 times)

I think my question will not be answered to a satisfactory degree. Nevertheless the NSA and other secret agencies have sparked through the public media recently. I've been always concerned about my data and secured docs.

Now, let me put it simply: do you have a backdoor in your software? This aint no softball question. Since you are a U.S based company, and I assume you are all American citizens living there, you are obliged to U.S laws. Thus you may provide the government either a direct or indirect access.

The whole concept of encryption with Espionage will be nullified, if the government is able or capable to simply use a switch, to have an insight into our encrypted folders. No decryption is required, just an easy path for agencies. This would make literally, absolute no sense in encrypting anything with your software.As many people already noted, I am as well, very disappointed how Espionage scrapped the full application encryption like we got with E2. The transition, that's how I would call it ^^, was very fishy to me- speaking of Espionage V2 to V3. Even though your official statement might be valid, I still feel a bit unwell in my belly.

Officially key points have been revealed already. Everything that goes to the US is under direct surveillance. If that's not enough entire Emails and traffic of Non-Americans are also under the all seeing eye. We all have it through: Google, Microsoft, Facebook and what not. All major U.S companies are subjected by LAW to either provide data or access. Lavabit's gone, because the founder did not want to kill the privacy of his users. He simply refused to cooperate and decided to better shut down the servers.

I wonder if there is any clue or piece of information to guarantee us transparency. Can you shed any light to this matter, please?

I think my question will not be answered to a satisfactory degree. Nevertheless the NSA and other secret agencies have sparked through the public media recently. I've been always concerned about my data and secured docs.

Now, let me put it simply: do you have a backdoor in your software? This aint no softball question. Since you are a U.S based company, and I assume you are all American citizens living there, you are obliged to U.S laws. Thus you may provide the government either a direct or indirect access.

Our code for Espionage has exactly zero backdoors in it. The actual encryption of data is handled by Apple's encrypted disk images, to which we do not have the source code to.

They were not able to find any serious problems with the encryption and created a tool to brute force the password. Espionage 3 generates these passwords for you on your behalf, so you don't have to worry about that. They aren't easy to bruteforce because they use a secure random number generator (arc4random_uniform) and are very long. Here's what they look like: h*R&mZtN-9wolWQ^E8W!Odi|m5A4N#tXhJ.

Quote

The whole concept of encryption with Espionage will be nullified, if the government is able or capable to simply use a switch, to have an insight into our encrypted folders. No decryption is required, just an easy path for agencies. This would make literally, absolute no sense in encrypting anything with your software.

Of course, no argument there. I wouldn't use it either if that were the case.

Quote

As many people already noted, I am as well, very disappointed how Espionage scrapped the full application encryption like we got with E2.

We did our best to address this issue without resorting to the use of a kernel extension when we released Espionage 3.5. Now the difference between version 2 and version 3, to open an encrypted app, is just an extra click in version 3.

Quote

The transition, that's how I would call it ^^, was very fishy to me- speaking of Espionage V2 to V3. Even though your official statement might be valid, I still feel a bit unwell in my belly.

Does it help to know that Espionage 3 is way more secure than Espionage 2? It doesn't rely on OS X's keychain (which uses 3DES) and it protects your disk image passwords with scrypt. Espionage 3 also sports plausible deniability features that no other encryption app on OS X does. Say you're forced to give up your master password either by a gun pointed at your head. Espionage 2 wouldn't protect you there, but version 3 does (if you took the time to make use of its plausible deniability features before someone put a gun to your head).

Quote

Officially key points have been revealed already. Everything that goes to the US is under direct surveillance. If that's not enough entire Emails and traffic of Non-Americans are also under the all seeing eye. We all have it through: Google, Microsoft, Facebook and what not. All major U.S companies are subjected by LAW to either provide data or access. Lavabit's gone, because the founder did not want to kill the privacy of his users. He simply refused to cooperate and decided to better shut down the servers.

We strongly recommend using GPGTools to keep your email encrypted as you send it over the internet, and combine it with Espionage 3 to protect your email locally on your machine, should it get into the wrong hands.

I was just wondering what we could expect in the next version. Furthermore I think you might want to redo your usability. I've been reading through the forums and most of the users, even intermediate ones, have problems using it.

Maybe you could re-introduce app-templates again, similar to version 2Make it more accessible and quicker to encrypt apps

Hello Rose, users can always turn to support and ask if anything is unclear, espionage 3 is simpler then 2, I'm not sure how can we make it even simpler. If you have some posts you would refer to, please do so as I'm dealing with support tickets and forum posts all the time, so an "external" view of things might help us understand where the problems are.Next release should be out soon, and will include some features users were asking for, but it is not finalized yet.

BTW, to speed up the use of Espionage 3.5 with apps, I strongly recommend getting used to its keyboard shortcuts. This is something that I'm actually discovering for myself right now. Before, I would use the mouse to click the icon in the menu bar to bring up the login prompt, but now I've noticed that it's *much* faster to use the keyboard shortcuts mentioned in the preferences.

Given the recent news about the NSA planting backdoors in commercial encryption tools, I've made this topic a sticky post in our forums. Also I really liked this quote from Bruce Schneier (bold emphasis is his):

Quote from: Bruce Schneier

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

We are not a large vendor by any means, but we do rely on encrypted sparse bundles that are created by a tool made by a large vendor. I addressed that issue above. Of course, I would be happier if Espionage 3 did not rely Apple's code.

There is an even bigger issue though than sparsebundles, and that is the fact that Espionage runs on OS X, Apple's proprietary operating system. Even if we were to switch to something like EncFS, we couldn't guarantee, for example, that OS X didn't have some backdoor in it that would secretly store everything you ever entered into a password prompt into some secret encrypted file somewhere, or send it directly to Apple's servers over its seemingly innocuous "Software Update" channel. When you own the OS, there are lots of dirty possibilities. So the issue is rather significant, but you are definitely far better off using encryption on OS X (whether it be Espionage 3 or something else) than you would be without it.

Finally, there's the issue of our code not being open source. This is indefensible. I would like to open source our code at some point in the near future, but I need to find the time to properly go about that. In the mean time, I would be happy to send our source code for review to any third-party security professional with a well-known and long-running public background of being competent and ethical with respect to all these matters. Absolutely no one with any traceable association to any government security agency, defense contractors, or even any questionable company (think MSFT) will be accepted for early source-code access.

Said professionals, should they be interested in reviewing our code, are welcome to contact us publicly or privately (or both).

Forgive me if this question seems dumb but please would you explain how to use GPG Tools to verify the signed message in the page source from Safari?

I've tried copying and pasting it to a text file but receive a verification error when I try to use the OpenPGP: Validate service.

Hmm, you are right, this is odd, I might need to speak with the GPGTools team about this, as it's not verifying on my end either now (it seems it was signed with a key that is a subkey of A884B988, but why it fails to verify even on *my* machine, even after re-signing, I do not fully understand).

Don't panic though: as of September 14, 2014 10:48PM PDT, we still haven't received a NSL letter or anything of the sort.

If this problem isn't fixed within two weeks of this message posting, consider that a sign that the FBI *has* been here (or I got hit by a bus).

OK, Mr. gpgtoolsnewbie, problem should be fixed. I accidentally broke the signature doing a search/replace of the entire document (doh!).

Note that in the latest GPGTools nightlies it still fails to verify the signature for some reason (I've opened up an issue about this with their team), but I think GPGTools 2.1 (the current release) should verify it (let me know if it doesn't). You can also manually copy and paste that text (including the "ASCII guards"—the dashed parts that surround it) into a plain text file, save it, and run gpg -v on it, it should show it as a valid signature (e.g.: gpg -v path/to/textfile.txt).

You are most welcome. Thanks for responding and resolving the problem so quickly. The updated page can indeed be validated with gpgtools 2.1.

Personally I find it easier to copy the text from the web page source, paste it into an editor, select it all and use the OpenPGP: Verify service from the app menu. The use of services instead of the command line seems to be more consistent with the techniques encouraged in the gpgtools kb articles and I suspect a large proportion of your intended user community would find it easier too.

By way of a bit of constructive feedback, I think an FAQ explaining how to "verify the signature of this watch zone" would be very helpful to newbies like me. Especially if the answer to the question explains why verifying the signature should enhance one's trust in what is written.

I make this point because it is the first time I've ever tried to verify a PGP signature and was lead into the exercise by the text on your page. Instead of begin reassured as intended, I ended up confused and, bizarre at it might seem to you, I'm still not sure why I should now attach any increased level of belief to what is written there. Particularly when the words "undefined trust" come up in the results of the verification.

I don't think I'm an idiot but I am a newcomer to the world of cryptography applications. This is a very complex area even for people like me who are former software developers and so reasonably proficient with computers.

(Incidentally, the page source link doesn't "work" on my standard installation of Safari 7.0.6. I get a dialog with the error: "There is no application set to open the URL view-source:https://www.espionageapp.com/".) I don't know if there is a way to overcome that or not.

Anyway, keep up the good work. I really appreciate the effort you are making to simplify encryption for us.

Personally I find it easier to copy the text from the web page source, paste it into an editor, select it all and use the OpenPGP: Verify service from the app menu. The use of services instead of the command line seems to be more consistent with the techniques encouraged in the gpgtools kb articles and I suspect a large proportion of your intended user community would find it easier too.

You should be able to just verify directly in the source (using the Service menu), but it might depend on whether the browser messes with the formatting or not.

Quote

By way of a bit of constructive feedback, I think an FAQ explaining how to "verify the signature of this watch zone" would be very helpful to newbies like me. Especially if the answer to the question explains why verifying the signature should enhance one's trust in what is written.

I'll be honest: while that's a great suggestion, it is low on our priority list. If we had resources to spare, it would be done, but we are focusing right now, among other things, to make sure E3 doesn't break when Yosemite is released.

This situation, remember, was also my fault. You would have likely successfully verified the signature the first time around had I not made my silly Find/Replace-All mistake. We are counting on a small fraction of our users who are savvy enough to use GPG properly to verify it.

Quote

I make this point because it is the first time I've ever tried to verify a PGP signature and was lead into the exercise by the text on your page. Instead of begin reassured as intended, I ended up confused and, bizarre at it might seem to you, I'm still not sure why I should now attach any increased level of belief to what is written there. Particularly when the words "undefined trust" come up in the results of the verification.

Ah, yes, that is GPG-insanity right there. That whole concept is putrid IMO and confuses even GPG veterans (why I am working on an alternative, where you get a black & white answer: "Yes this is authenticated", or "You're being hacked").

Quote

(Incidentally, the page source link doesn't "work" on my standard installation of Safari 7.0.6. I get a dialog with the error: "There is no application set to open the URL view-source:https://www.espionageapp.com/".) I don't know if there is a way to overcome that or not.

Use Firefox!

Quote

Anyway, keep up the good work. I really appreciate the effort you are making to simplify encryption for us.